Context Navigation

source: trunk/admin/plog-manage.php @ 159

Revision 159, 25.6 KB checked in by anti, 5 years ago (diff)

+ use htmlspecialchars() on the messages returned by some functions, before displaying them to the user,

because those messages might contain user input (results of add_collection/update_collection do in some cases)
and this could be used for XSS attacks

Line
1	<?php
2
3	require("plog-globals.php");
4	require_once("../plog-load_config.php"); // load configuration variables from database
5	require_once("plog-admin-functions.php");
6	error_reporting(E_ERROR);
7	global $inHead;
8
9	$inHead = '<script type="text/javascript" src="js/plogger.js"></script>';
10
11	function generate_pagination_view_menu() {
12
13	$java = 'document.location.href = \''.$_SERVER["PHP_SELF"].'?level='.$_REQUEST["level"].
14	'&id='.$_REQUEST["id"].'&entries_per_page=\'+this.options[this.selectedIndex].value';
15
16	$possible_values = array("5"=>5, "10"=>10, "20"=>20, "50"=>50);
17	$output.= 'Entries per page <select onchange="'.$java.'" name="entries_per_page">';
18
19	foreach ($possible_values as $key => $value)
20	if ($_SESSION['entries_per_page'] == $key)
21	$output .= "<option value=\"$value\" selected>$key</option>";
22	else
23	$output .= "<option value=\"$value\">$key</option>";
24
25	$output.= '</select>';
26
27	return $output;
28
29	}
30
31	function generate_move_menu($level) {
32	global $TABLE_PREFIX;
33	if ($level != "collections" and $level != "comments"){
34
35	if ($level == "albums") $parent = "collections";
36	if ($level == "pictures") $parent = "albums";
37	$output .= '<input class="submit" type="submit" name="action" value="Move Checked To"/>';
38
39	if ($level == "pictures") {
40	$albums = get_albums();
41	$output .= generate_albums_menu($albums);
42	} else {
43	$output .= '<select name="group_id">';
44	$collections = get_collections();
45	foreach($collections as $collection) {
46	$output .= '<option value="'.$collection["id"].'">'.$collection["name"];
47	$output .= '</option>';
48	}
49	$output .= '</select>';
50	}
51
52	return $output;
53	}
54	}
55
56	function generate_albums_menu($albums) {
57	foreach($albums as $album_id => $album) {
58	$output .= "<select name=\"group_id\">";
59	if ($_REQUEST["albums_menu"] == $album_id \|\| $_REQUEST["new_album_name"] == $album['album_name'])
60	$selected = " selected"; else $selected = "";
61
62	$output .= "<option value=\"".$album_id."\"$selected>".$album['collection_name']." : ".$album['album_name']."" ;
63	$output .= "</option>";
64	}
65
66	$output .= "</select>";
67
68	return $output;
69	}
70
71	function generate_breadcrumb_admin($level, $id){
72	global $TABLE_PREFIX;
73	switch ($level){
74	case 'collections':
75	$breadcrumbs = '<b>Collections</b>';
76
77	break;
78	case 'albums':
79	$query = "SELECT * FROM `".$TABLE_PREFIX."collections` WHERE `id`='".$id."'";
80	$result = run_query($query);
81	$row = mysql_fetch_assoc($result);
82
83	$collection_name = $row["name"];
84
85	$breadcrumbs = '<a href="'.$_SERVER["PHP_SELF"].'">Collections</a> » ' . "<b>$collection_name</b>";
86
87	break;
88	case 'pictures':
89
90	$query = "SELECT * FROM `".$TABLE_PREFIX."albums` WHERE `id`='".$id."'";
91	$result = run_query($query);
92	$row = mysql_fetch_assoc($result);
93
94	$album_link = $row["name"];
95
96	$query = "SELECT * FROM `".$TABLE_PREFIX."collections` WHERE `id`='".$row["parent_id"]."'";
97	$result = run_query($query);
98	$row = mysql_fetch_assoc($result);
99
100	$collection_link = '<a href="'.$_SERVER["PHP_SELF"].'?level=albums&id='.$row["id"].'">'.$row["name"].'</a>';
101
102	$breadcrumbs = '<a href="'.$_SERVER["PHP_SELF"].'">Collections</a> » ' . $collection_link . ' » ' . '<b>'. $album_link.'</b>';
103
104	break;
105	case 'comments':
106
107	$query = "SELECT * FROM `".$TABLE_PREFIX."pictures` WHERE `id`='".$id."'";
108	$result = run_query($query);
109	$row = mysql_fetch_assoc($result);
110
111	$picture_link = '<b>'.$row["path"].'</b>';
112	$album_id = $row["parent_album"];
113	$collection_id = $row["parent_collection"];
114
115	$query = "SELECT * FROM `".$TABLE_PREFIX."albums` WHERE `id`='".$album_id."'";
116	$result = run_query($query);
117	$row = mysql_fetch_assoc($result);
118
119	$album_link = '<a href="'.$_SERVER["PHP_SELF"].'?level=pictures&id='.$album_id.'">'.$row["name"].'</a>';
120
121	$query = "SELECT * FROM `".$TABLE_PREFIX."collections` WHERE `id`='".$collection_id."'";
122	$result = run_query($query);
123	$row = mysql_fetch_assoc($result);
124
125	$collection_link = '<a href="'.$_SERVER["PHP_SELF"].'?level=albums&id='.$collection_id.'">'.$row ["name"].'</a>';
126
127	$breadcrumbs = '<a href="'.$_SERVER["PHP_SELF"].'">Collections</a> » ' . $collection_link . ' » '
128	.$album_link. ' » '.$picture_link . ' »' . " Comments";
129
130	break;
131	default:
132	$breadcrumbs = '<b>Collections</b>';
133	}
134
135	return '<div id="breadcrumb_links">'.$breadcrumbs.'</div>';
136	}
137
138
139	if (!isset($_REQUEST["level"]) or $_REQUEST["level"] == '') $level = "collections";
140	else $level = $_REQUEST['level'];
141
142	$output = '<h1>Manage Content</h1>';
143
144	global $config;
145
146
147	// here we will determine if we need to perform a move or delete action.
148	if (isset($_REQUEST["action"])) {
149	$num_items = 0;
150
151	$action_result = array();
152
153	if ($_REQUEST["action"]== "Delete Checked") {
154	// perform the delete function on the selected items
155
156	if (isset($_REQUEST["Selected"])) {
157	foreach($_REQUEST["Selected"] as $del_id) {
158	// lets build the query string
159	if ($level == "pictures") {
160	$rv = delete_picture($del_id);
161	}
162	if ($level == "collections") {
163	$rv = delete_collection($del_id);
164	}
165	if ($level == "albums") {
166	$rv = delete_album($del_id);
167	}
168
169	if (isset($rv['errors'])) {
170	$output .= '<p class="errors">' . $rv['errors'] . '</p>';
171	} else {
172	$num_items++;
173	};
174	}
175
176	$output .= "<p class=\"actions\">You have deleted $num_items entry(s) successfully.</p>";
177	}
178	else{
179	$output .= "<p class=\"errors\">Nothing selected to delete!</p>";
180	}
181	}
182	else if ($_REQUEST["action"] == "Move Checked To") {
183	if ($level == "albums") $parent = "parent_id";
184	if ($level == "pictures") $parent = "parent_album";
185
186	// perform the move function on the selected items
187	$pid = $_REQUEST["group_id"];
188
189	if (isset($_REQUEST["Selected"])) {
190	foreach($_REQUEST["Selected"] as $mov_id) {
191
192	// if we are using pictures we need to update the parent_collection as well
193	if ($level == "pictures") {
194	// lets build the query string
195	$mov_id = intval($mov_id);
196	$query = "UPDATE ".$TABLE_PREFIX."$level SET `$parent` = '$pid' WHERE `id`='$mov_id'";
197	$result = run_query($query);
198	$num_items++;
199
200	// we need the parent_id from the album we're changing to
201	$query = "SELECT * FROM ".$TABLE_PREFIX."albums WHERE `id` = '$pid'";
202	$result = run_query($query);
203	$row = mysql_fetch_assoc($result);
204	$new_collection = $row['parent_id'];
205
206	// set the new parent id
207	$query = "UPDATE ".$TABLE_PREFIX."$level SET `parent_collection` = '$new_collection' WHERE `id`='$mov_id'";
208	$result = run_query($query);
209
210	// move picture to new location
211	// we need to query to get collection names and album names to find new directory path
212
213	$sql = "SELECT p.path as path, c.path as collection_path, a.path as album_path_
214	FROM ".$TABLE_PREFIX."albums a, ".$TABLE_PREFIX."pictures p, ".$TABLE_PREFIX."collections c
215	WHERE p.parent_album = a.id AND p.parent_collection = c.id AND p.id = '$mov_id'";
216
217	$result = run_query($sql);
218	$row = mysql_fetch_assoc($result);
219
220	$filename = basename($row['path']);
221	$directory = $row['collection_path']."/".$row['album_path']."/";
222	$new_path = $directory.$filename;
223
224	if (!rename($config['basedir']."images/".$row['path'], $config['basedir']."images/".$new_path))
225	$output .= "<p class=\"errors\">Error moving file! ($row[path] to $new_path)</p>";
226
227	// update database
228	$sql = "UPDATE ".$TABLE_PREFIX."pictures SET path = '$new_path' WHERE id = '$mov_id'";
229	mysql_query($sql) or ($output .= "<p class=\"errors\">".mysql_error()."</p>");
230	}
231	else if ($level == "albums") {
232	// if we are moving entire albums then we need to rename the folder
233	// $pid is our target collection id, $mov_id is our source album
234
235	// rename the directory
236	// first, get the album name and collection name of our source album
237	$sql = "SELECT c.path as collection_path, a.path as album_path
238	FROM ".$TABLE_PREFIX."albums a, ".$TABLE_PREFIX."collections c
239	WHERE c.id = a.parent_id AND a.id = '$mov_id'";
240
241	$result = run_query($sql);
242	$row = mysql_fetch_assoc($result);
243
244	$source_album_name = $row["album_path"];
245	$source_collection_name = $row["collection_path"];
246
247	// next, get the collection name of our destination collection
248	$sql = "SELECT c.path as collection_path
249	FROM ".$TABLE_PREFIX."collections c
250	WHERE c.id = '$pid'";
251
252	$result = run_query($sql);
253	$row = mysql_fetch_assoc($result);
254
255	$target_collection_name = $row["collection_path"];
256
257	$source_path = $config['basedir']."images/".$source_collection_name."/".$source_album_name;
258	$target_path = $config['basedir']."images/".$target_collection_name."/".$source_album_name;
259
260	if (!rename($source_path, $target_path))
261	$output .= '<p class="errors">Could not rename directory!</p>';
262
263	// now we need to update the database paths of all pictures within source album
264	$sql = "SELECT p.path as path, c.name as collection_name, a.name as album_name
265	FROM ".$TABLE_PREFIX."albums a, ".$TABLE_PREFIX."pictures p, ".$TABLE_PREFIX."collections c
266	WHERE p.parent_album = a.id AND p.parent_collection = c.id AND p.parent_album = '$mov_id'";
267
268	$result = run_query($sql);
269
270	while($row = mysql_fetch_assoc($result)) {
271
272	$filename = basename($row['path']);
273
274	$new_path = $target_collection_name."/".$source_album_name."/".$filename;
275
276	// if (!rename("../".$row['path'], "../".$new_path))
277	// $output .= "<p class=\"errors\">Error moving file! ($row[path] to $new_path)</p>";
278	// $output .= "<p class=\"actions\">Updating database: $row[path] -> $new_path</p>";
279	// update database
280	$sql = "UPDATE ".$TABLE_PREFIX."pictures SET path = '$new_path' WHERE path = '$row[path]'";
281	mysql_query($sql) or ($output .= "<p class=\"errors\">".mysql_error()."</p>");
282	}
283
284	// lets build the query string
285	$query = "UPDATE ".$TABLE_PREFIX."albums SET `$parent` = '$pid' WHERE `id`='$mov_id'";
286	$result = run_query($query);
287	$num_items++;
288
289
290
291	}
292
293	}
294
295	$output .= "<p class=\"actions\">You have moved $num_items entry(s) successfully.</p>";
296	}
297	else{
298	$output .= "<p class=\"errors\">Nothing selected to move!</p>";
299	}
300	}
301	else if ($_REQUEST["action"] == "edit-picture") {
302	// show the edit form
303	$sql = "SELECT * FROM ".$TABLE_PREFIX."pictures p WHERE p.id = '" . $_REQUEST["pid"] . "'";
304	$result = run_query($sql);
305	$photo = mysql_fetch_assoc($result);
306	if ($photo['allow_comments'] == 1) $state = "checked"; else $state = "";
307
308	$output .= '<form class="edit" action="'.$_SERVER["PHP_SELF"].'" method="post">';
309
310
311	$output .= 'Caption:<br/><input size="80" name="caption" id="caption" value="'.$photo['caption'].'">
312	Allow Comments? <input type="checkbox" id="allow_comments" name="allow_comments" value="1"'." $state>";
313
314	$output .= '<input type="hidden" name="level" value="'.$_REQUEST['level'].'"><input type="hidden"
315	name="id" value="'.$photo['parent_album'].'"><input type="hidden"
316	name="pid" value="'.$photo['id'].'"><input type="hidden"
317	name="action" value="update-picture"><button class="submit" type="submit">Update</button>';
318
319	$output .= '</form>';
320
321	}
322	else if ($_REQUEST["action"] == "edit-album") {
323	// show the edit form
324
325	$output .= '<form class="edit" action="'.$_SERVER["PHP_SELF"].'" method="post">';
326
327	$sql = "SELECT * FROM ".$TABLE_PREFIX."albums a WHERE a.id = '" . $_REQUEST["pid"] . "'";
328	$result = run_query($sql);
329	$album = mysql_fetch_assoc($result);
330
331	$sql = "SELECT id,caption,path FROM ".$TABLE_PREFIX."pictures p
332	WHERE p.parent_album = '" . $_REQUEST["pid"] . "'";
333
334	$images = "<option value='0'>automatic</option>";
335	$result = run_query($sql);
336	while($row = mysql_fetch_assoc($result)) {
337	$selected = ($row["id"] == $album["thumbnail_id"]) ? " selected" : "";
338	$images .= "<option value='" . $row["id"] . "'" . $selected . ">";
339	$images .= !empty($row["caption"]) ? $row["caption"] : basename($row["path"]);
340	$images .= "</option>\n";
341	};
342
343
344	$output .= 'Name:<br/><input size="30" name="name" id="name" value="'.$album['name'].'"><br/>
345	Description:<br/><input size="80" name="description" id="description" value="'.$album['description'].'"><br/>
346	Thumbnail:<br/><select name="thumbnail_id" id="thumbnail_id">' . $images . '</select>';
347
348	$output .= '<input type="hidden" name="level" value="'.$_REQUEST['level'].'"><input type="hidden"
349	name="pid" value="'.$_REQUEST['pid'].'"><input type="hidden"
350	name="id" value="'.$_REQUEST['id'].'"><input type="hidden"
351	name="action" value="update-album"><tr><td><button class="submit" type="submit">Update</button>';
352
353	$output .= '</form>';
354
355	}
356	else if ($_REQUEST["action"] == "edit-collection") {
357	// show the edit form
358	$output .= '<form class="edit" action="'.$_SERVER["PHP_SELF"].'" method="post">';
359
360	$sql = "SELECT * FROM ".$TABLE_PREFIX."collections c WHERE c.id = '" . $_REQUEST["pid"] . "'";
361	$result = run_query($sql);
362	$collection = mysql_fetch_assoc($result);
363
364	$sql = "SELECT p.id AS id,caption,p.path AS path,a.name AS album_name FROM ".$TABLE_PREFIX."pictures p
365	LEFT JOIN " . $TABLE_PREFIX . "albums AS a ON p.parent_album = a.id
366	WHERE p.parent_collection = '" . $_REQUEST["pid"] . "' ORDER BY a.name,p.date_submitted";
367
368	$images = "<option value='0'>automatic</option>";
369	$result = run_query($sql);
370	while($row = mysql_fetch_assoc($result)) {
371	$selected = ($row["id"] == $collection["thumbnail_id"]) ? " selected" : "";
372	$images .= "<option value='" . $row["id"] . "'" . $selected . ">";
373	$images .= $row["album_name"] . " : ";
374	$images .= !empty($row["caption"]) ? $row["caption"] : basename($row["path"]);
375	$images .= "</option>\n";
376	};
377
378
379	$output .= 'Name:<br/><input size="30" name="name" id="name" value="'.$collection['name'].'"><br/>
380	Description:<br/><input size="80" name="description" id="description" value="'.$collection['description'].'"><br/>
381	Thumbnail:<br/><select name="thumbnail_id" id="thumbnail_id">' . $images . "</select>";
382
383	$output .= '<input type="hidden" name="level" value="'.$_REQUEST['level'].'"><input type="hidden"
384	name="pid" value="'.$_REQUEST['pid'].'"><input type="hidden"
385	name="id" value="'.$_REQUEST['id'].'"><input type="hidden"
386	name="action" value="update-collection"><button class="submit" type="submit">Update</button>';
387
388	$output .= '</form>';
389
390	}
391	else if ($_REQUEST["action"] == "edit-comment") {
392	// show the edit form
393	$comment_id = intval($_GET["pid"]);
394	$sql = "SELECT * FROM ".$TABLE_PREFIX."comments c WHERE c.id = '$comment_id'";
395	$result = run_query($sql);
396	$comment = mysql_fetch_assoc($result);
397	$output .= '<form class="edit" action="'.$_SERVER["PHP_SELF"].'" method="post"><table>';
398
399	$output .= '<tr><td>Author:<br/><input size="30" name="author" id="author" value="'.SmartStripSlashes($comment['author']).'"></td>
400	<td>Email:<br/><input size="30" name="email" id="email" value="'.SmartStripSlashes($comment['email']).'"></td>
401	<td>Website:<br/><input size="30" name="url" id="url" value="'.SmartStripSlashes($comment['url']).'"></td></tr>
402	<tr><td colspan="3">Comment:<br/> <textarea cols="70" rows="4" name="comment" id="comment">'.
403	SmartStripSlashes($comment['comment']).'</textarea></td></tr></table>';
404
405	$output .= '<input type="hidden" name="level" value="'.$_REQUEST['level'].'"><input type="hidden"
406	name="pid" value="'.$comment['id'].'"><input type="hidden"
407	name="id" value="'.$_REQUEST['id'].'"><input type="hidden"
408	name="action" value="update-comment"><button class="submit" type="submit">Update</button>';
409
410	$output .= '</form>';
411
412	}
413	else if ($_POST['action'] == 'update-picture') {
414	$action_result = update_picture($_POST['pid'],$_POST['caption'],$_POST['allow_comments']);
415	}
416	else if ($_POST['action'] == 'update-album') {
417	$action_result = update_album($_POST['pid'],$_POST['name'],$_POST['description'],$_POST['thumbnail_id']);
418	}
419	else if ($_POST["action"] == "update-collection") {
420	$action_result = update_collection($_POST["pid"],$_POST["name"],$_POST["description"],$_POST["thumbnail_id"]);
421	}
422	else if ($_POST["action"] == "update-comment") {
423	$action_result = update_comment($_POST["pid"],$_POST["author"],$_POST["email"],$_POST["url"],$_POST["comment"]);
424	}
425	else if ($_POST["action"] == "add-collection") {
426	$action_result = add_collection($_POST["name"],$_POST["description"]);
427	}
428	else if ($_POST["action"] == "add-album") {
429	$action_result = add_album($_POST["name"],$_POST["description"],$_POST["id"]);
430	}
431
432	// pass the results through htmlspecialchars, because they might contain user input
433	if (!empty($action_result['errors'])) {
434	$output .= '<p class="errors">' . htmlspecialchars($action_result['errors']) . '</p>';
435	} elseif (!empty($action_result['output'])) {
436	$output .= '<p class="actions">' . htmlspecialchars($action_result['output']) . '</p>';
437	};
438	}
439
440	$output .= '<form id="contentList" action="'.$_SERVER["PHP_SELF"].'" method="post">';
441
442	// here we will generate a "add collection/album" header
443	if ($level == "collections") {
444	$output .= '<div class="box-3"><h2 class="add">Create a Collection: </h2><label for="name">Name </label><br/><input name="name" id="name">
445	<br/><label for="description">Description </label><br/><input name="description" id="description" size="50">
446	<input name="action" type="hidden" value="add-collection">
447	<input class="submit" type="submit" value="Add Collection">
448	</div>';
449	}
450	else if ($level == "albums") {
451	$output .= '<div class="box-3"><h2 class="add">Create an Album: </h2><label for="name">Name </label><br/><input name="name" id="name">
452	<br/><label for="description">Description </label><br/><input name="description" id="description" size="50">
453	<input name="action" type="hidden" value="add-album">
454	<input class="submit" type="submit" value="Add Album"></div>';
455	}
456
457
458	// this is our defined list of allowed fields for each table
459	$allowedPictureKeys = array("path", "caption", "allow_comments");
460	$allowedAlbumKeys = array("name", "description");
461	$allowedCollectionKeys = array("name", "description");
462	$allowedCommentKeys = array("date", "author", "email", "url", "comment");
463
464
465	// lets iterate through all the content and build a table
466	// set the default level if nothing is specified
467
468	// handle pagination
469	// lets determine the limit filter based on current page and number of results per page
470	if (!isset($_REQUEST["page"])) $_REQUEST["page"] = "1"; // we're on the first page
471
472	if (isset($_REQUEST['entries_per_page']))
473	$_SESSION['entries_per_page'] = $_REQUEST['entries_per_page'];
474	else
475	$_SESSION['entries_per_page'] = 20;
476
477
478	// determine the filtering conditional based on the level and id number
479	if ($level == "albums" or $level == "comments"){
480	$cond = "WHERE `parent_id` = '$_REQUEST[id]'";
481	}
482	else if ($level == "pictures"){
483	$cond = "WHERE `parent_album` = '$_REQUEST[id]'";
484	}
485
486	$url = "?entries_per_page=$_SESSION[entries_per_page]&level=$_REQUEST[level]&id=$_REQUEST[id]";
487
488	$first_item = ($_REQUEST['page'] - 1) * $_SESSION['entries_per_page'];
489	$limit = "LIMIT $first_item, $_SESSION[entries_per_page]";
490
491	// lets generate the pagination menu as well
492	$recordCount = "SELECT COUNT(*) AS num_items FROM ".$TABLE_PREFIX."$level $cond";
493	$totalRowsResult = mysql_query($recordCount);
494	$totalRows = mysql_result($totalRowsResult,'num_items');
495
496	$page = isset($_GET["page"]) ? $_GET["page"] : 1;
497	$pagination_menu = generate_pagination('plog-manage.php'.$url,$page,$totalRows,$_SESSION['entries_per_page']);
498
499	$query = "SELECT * FROM ".$TABLE_PREFIX."$level $cond $limit";
500	$result = run_query($query);
501
502	if ($result) {
503	if (mysql_num_rows($result) == 0) {
504	$output .= generate_breadcrumb_admin($_REQUEST["level"], $_REQUEST["id"]);
505	$output.= '<p class="actions">This table is empty.</p>';
506	}
507	while($row = mysql_fetch_assoc($result)) {
508	// if we're on our first iteration, dump the header
509	if ($counter == 0) {
510	$output .= '<table><tr><td>'
511	.generate_breadcrumb_admin($_REQUEST["level"], $_REQUEST["id"]).'</td>';
512
513	// output view entries pagination control
514	$output .= '<td align="right">'.generate_pagination_view_menu().'</td></tr></table>';
515
516	if ($level == "pictures"){
517	$output .= '<table cellpadding="4"><tr class="header"><td></td><td width="65">Thumb</td>';
518	}
519	else{
520	$output .= '<table cellpadding="4"><tr class="header"><td></td>';
521	}
522
523	foreach ($row as $name => $value) {
524	// check to see if this is allowed
525	$value = SmartStripSlashes($value);
526	if (($level == "albums" && in_array($name, $allowedAlbumKeys)) \|\|
527	($level == "pictures" && in_array($name, $allowedPictureKeys)) \|\|
528	($level == "collections" && in_array($name, $allowedCollectionKeys)) \|\|
529	($level == "comments" && in_array($name, $allowedCommentKeys))) {
530	if ($level == "pictures" && $name == 'path') $name = 'filename';
531	$output .= "<td>".ucfirst($name)."</td>";
532	}
533	}
534
535	$output .= '<td>Actions</td></tr>';
536	}
537
538	if ($counter%2 == 0) $table_row_color = "color-1";
539	else $table_row_color = "color-2";
540
541	// start a new table row (alternating colors)
542	$output .= "<tr class=\"$table_row_color\">";
543
544	// give the row a checkbox
545	$output .= '<td width="15"><input type="CHECKBOX" name="Selected[]" VALUE="'.$row["id"].'"></td>';
546
547	//give the row a thumbnail if we're in pictures view
548	if ($level == "pictures") {
549
550	$thumbpath = generate_thumb($row["path"],$row["id"],'small');
551
552	// generate XHTML with thumbnail and link to picture view.
553	$imgtag = '<img class="photos" src="'.$thumbpath.'" title="'.$row["caption"].'" alt="'.$row["caption"].'" />';
554	$target = 'plog-thumbpopup.php?src='.$row["id"];
555	$java = "javascript:this.ThumbPreviewPopup('$target')";
556
557	$output .= '<td><a href="'.$java.'">'.$imgtag.'</a></td>';
558	}
559
560	foreach($row as $key => $value) {
561	$value = htmlspecialchars($value);
562	if ($key == "name" \|\| ($key == "path" && $level == "pictures")) { // $output .= a link to the next level
563	if ($level == "collections") {
564	$num = count_albums($row['id']);
565	$output .= "<td><a class=\"folder\" href=\"$_SERVER[PHP_SELF]?level=albums&id=$row[id]\">
566	<b>$value </b></a> — contains $num album(s)</td>";
567	}
568	else if ($level == "albums") {
569	$num = count_pictures($row['id']);
570	$output .= "<td><a class=\"folder\" href=\"$_SERVER[PHP_SELF]?level=pictures&id=$row[id]\">
571	<b>$value</b></a> — contains $num picture(s)</td>";
572
573	}
574	else if ($level == "pictures") {
575	$output .= "<td><a class=\"folder\" href=\"$_SERVER[PHP_SELF]?level=comments&id=$row[id]\">
576	<b>".basename($value)."</b></a></td>";
577
578	}
579	else
580	$output .= "<td>$value</td>";
581	}
582	else if ($key == "email") {
583	$output .= "<td><a href=\"mailto:$value\">$value</a></td>";
584	}
585	else if ($key == "allow_comments") {
586	if ($value) $output .= "<td>Yes</td>";
587	else $output .= "<td>No</td>";
588	}
589	else {
590	if (($level == "albums" && in_array($key, $allowedAlbumKeys)) \|\|
591	($level == "pictures" && in_array($key, $allowedPictureKeys)) \|\|
592	($level == "collections" && in_array($key, $allowedCollectionKeys)) \|\|
593	($level == "comments" && in_array($key, $allowedCommentKeys)))
594	$output .= "<td>".SmartStripSlashes($value)."</td>";
595	}
596	}
597
598	// $output .= our actions panel
599	if ($level == "pictures") $query = "?action=edit-picture&pid=$row[id]&level=$_REQUEST[level]&id=$_REQUEST[id]";
600	else if ($level == "collections") $query = "?action=edit-collection&pid=$row[id]&
601	level=$_REQUEST[level]&id=$_REQUEST[id]";
602	else if ($level == "albums") $query = "?action=edit-album&pid=$row[id]&
603	&level=$_REQUEST[level]&id=$_REQUEST[id]";
604	else if ($level == "comments") $query = "?action=edit-comment&pid=$row[id]&level=$_REQUEST[level]&id=$_REQUEST[id]";
605
606
607	$output .= '<td width="50"><a href="'.$_SERVER["PHP_SELF"]."$query&entries_per_page=$_SESSION[entries_per_page]".
608	'"><img style="display:inline" src="../graphics/edit.gif" alt="Edit" title="Edit"></a><a href="'.$_SERVER["PHP_SELF"]."?action=Delete+Checked&Selected[]=$row[id]&level=$_REQUEST[level]&id=$_REQUEST[id]".'"
609	onClick="return confirm(\'Are you sure you want to delete this item?\');"><img style="display:inline" src="../graphics/x.gif" alt="Delete" title="Delete"></a></td>';
610
611
612	$output .= "</tr>";
613	$counter++;
614	}
615
616	$output .= '<tr class="header"><td colspan="7"></td></tr></table>';
617	}
618
619	$output .= '
620	<table><tr><td><a href="#" onclick="checkAll(document.getElementById(\'contentList\')); return false; ">Invert Checkbox Selection</a></td><td align="right">'.$pagination_menu.'</td></tr></table>'.
621	'<input type="hidden" name="level" value="'.$level.'" />
622	<input type="hidden" name="id" value="'.$_REQUEST["id"].'" />
623	<input class="submit" type="submit" name="action" onClick="return confirm(\'Are you sure you want to delete selected items?\');"
624	value="Delete Checked">
625	'.generate_move_menu($level).'</form>';
626
627	display($output, "manage");
628	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: